Flatten Electronics, a second generation family business, has just been notified that there may have been a data breech associated with credit cards used at their stores. The initial reports indicates at least 1 500 accounts may have been compromised although this number appears to be growing quickly as more banks and clearing houses are notified of the possible breech. Flatten is a small, regional electronics business with 32 stores in six (6) states. The case study is happening within 24 hours of first notification of the possible breech. 1 . Analyze how the Critical Success Factors (CIFS) apply to the facts of the case duty.
Provide examples to support your analysis. In order to respond to this first requirement we need to ensure we understand the definition of SF and the categories at which we will be looking. Hills and Simon (2012) define CIFS as “a condition that is required to ensure success and whose absence leads to failure” (p. 236) and Hellman (2005) defines them as “those elements that must be completed in order for the project to be considered a success. ” Based on these definitions the following CIFS and possible metrics for measuring and determining the results of the company’s efforts have been determined.
Don’t waste your time!
Order your assignment!
Hills and Simon have noted four categories into which Critical Success Factors (CIFS) fall: Supportive Organization; Competent People; Appropriate Methods, Tools and Techniques; and Simple, Scalable Process. Examples of these CIFS and a possible metric follow: SF Category Metric(s) Supportive Organization Buy in from all departments All departments agree to and sign off on plan Customer must come first All required personnel made available External contractual arrangements made External support requirements identified and implemented IA with plan Competent People Skilled, trained and competent staff
Information Security Director position defined and staffed within 30 days HRS and IT meet staffing goals within 45 days of notice Current personnel not meeting requirements within 6 months of notice released Temporary, external resources used as required Training requirements and policies established Competent internal/external training resources identified and contracted with within 3 months Annual training and certification of IT personnel Appropriate Methods, Tools and Techniques Secure technology infrastructure Identify and seal current breech point within 48 hours
Upgrade equipment and software within 12 weeks External contract resources employed until internal needs are met Maintain 100% secure gateways Develop policies and procedures Establish and implement policy(sis) and procedures within 3 months; update as required. Clear and concise customer notification policies developed with customers notified in writing and on website Implement security verification procedures Conduct scheduled (3) and unscheduled security checks and tests annually (98% pass) Conduct forensic audit by external team to identify extent, cause and fixes within next 2 weeks
Conduct bi-annual security audit Ensure 100% compliance with industry standards Simple, Scalable Process Project plan developed and implement IA IMP processes IA ITIL v where appropriate Appropriate resources available and supportive Completed in small, measurable steps Results in a secure and operational infrastructure supported by policy actions Completed in 6 months Let us look at a couple of these CIFS as they apply to the case study. A. Supportive organization – everyone appears to understand the seriousness of the possible data breech and wants it resolved but are looking at different aspects.
Brett, the CEO, wants the store protected, his customers protected and taken care of as they are family to him as noted by the pictures on the wall outside his office. Darrell, the long-time for the firm, wants to let the banks break the news as that will make it appear as if they are at fault but this data breech may not be an area in which he has great knowledge. He also would like let the Secret Service handle the whole thing and wait till they have finished their investigation which could be months or longer. Laurie, the Loss Prevention Specialist, wants to protect the store but realizes this is out of re realm of expertise.
Sergei, as the CIO, is the most at fault. He admits that they were only 75% PICK compliant; that they had new firewalls – software and hardware – being set-up but they were having trouble with them and that one of the firewalls had been down for an unknown period of time. Sergei has the most to lose – his job and his reputation. Ben, the HRS director, has identified possible suspects from personnel who have recently left the business but blindly turning names over to the police could expose the company to more liability claims. Sally, the PR person, is just looking for some direction in which ay to proceed.
Each of these people want what is best for the company but for different reason. Brett needs to ensure that each person agrees fully with his final decision and they will support it going forward. B. Competent People – The company has fallen short in this area. Darrell appears to have little experience in this arena. The company may wish to hire outside counsel with expertise in this area to help develop a quick response with which both Brett and Darrell can work. Laurie is outside of her skill area to resolve the breech but she should be able to help support policy development.
Sergei is the biggest issue. It appears that he has no policies in place for such a problems; that he is not in control of his personnel; that he hasn’t been informing the CEO of the status of his department nor does he appear to have plans in place to implement full net security. Ben appears to be doing his job but now must focus on quickly finding both temporary and permanent hire personnel to help resolve the issue. Sally needs to more investigate options available and present a short briefing concerning the options and possible results.
Brett, as the CEO, has been relying o much on people doing their jobs and hasn’t spent enough time checking to see if they are. C. Appropriate Methods, Tools and Techniques – The company needs to move quickly, but smartly, in this area. It needs to bring outside contract help to quickly define and establish a secure network. It needs to define supportable and legal policies to define the work environment, jobs skill and training requirements, etc. Between Brett, Darrell, and Sally, with some input from Sergei and Laurie, they need to develop a communication’s policy that looks at responds to incidents such as this.
D. Simple, Scalable Process – The company deeds to develop an overall project plan to achieve the CIFS defined above. The plan should be built in sections as related to each department and integrated into one plan. The company may need to bring in an outside PM to manage the overall plan with a project leader to handle to the smaller section plans. Brett must ensure that each department and department head is fully supportive of the plan. Brett himself must be the Champion of the overall plan with the department heads championing their plans. 2.
Determine the project benefits, organizational readiness, and risk culture of the company in the case study. A. Some of the benefits associated with a project aligned with the CIFS as they laid out are: a. The company develops a secure and PICK compliant network and internet portal thereby reducing their legal liability for future breeches. B. With a secure network, the company can regain their customer’s trust. C. The entire company is moving forward in the same direction. D. Company personnel gain an understanding that the company will do what is required to remain a viable business. E.
Company personnel gain an understanding of their job is and that, through training and policy guidance, the company will work towards what is the est. for all of them. B. The organizational readiness of the company to meet the CIFS is lagging and very suspect. The IT department does not have the personnel available to handle the required upgrades. This is evident in the inability to establish a functional firewall, in the inability to determine when the firewall was taken down, etc. They also do not appear to be set up to handle project planning and implementation as defined by the Project Management Institute or IT IL process.
Between the IT and HRS department they have failed to secure the resources required to support company IT functions. This is also indicated by the CIO lack of awareness. Their legal counsel and PR department are also unprepared for this type of event. However, they should be able to recover more quickly than the other departments. Given the shock that they have had based on this incident and depending on the final direction that the CEO, Brett, decides on, the department heads and at least a couple of the departments should be raring to go as they should feel the need to prove themselves.
But overall, at this point, none of them appear ready to move forward in great leaps and bounds. C. The risk culture of the organization, especially the IT department, appears to be bordering on risk denial. As noted by Hills and Simon (p. 17), “Denial results in important risks being ignored, and decisions being made without cognizance of the associated risks. ” This is most evident in the IT department concerning the firewall being down and the other issues associated with the firewall and IT personnel.
It also shows in the Darrell response to let the banks, as first reporters, bear the brunt of the fallout and in Beret’s not knowing about and supposedly not questioning the state of the IT upgrade effort. Beret’s attitude where the customers are concerned appears to be risk adverse as he wants nothing to affect the company’s relationship with them. So Sergei could bear all of the fallout if the issue is not properly handled with minimal losses to the customers and the company. 3. Develop at least three (3) project risk recommendations based on the analysis from criteria number 1 and 2 of this assignment.
In order to resolve the risk associated with this case study as presented in items 1 and 2 above I recommend that the following items be completed. A. An external forensic IT team be brought in to work with the runner IT personnel to identify and resolve current IT fail points. This would help eliminate or greatly reduce current exposure and help identify where the breech occurred. It would also help the company s IT personnel grow their skill sets and identify to them what skills they need to further develop.
The forensic team should also be contracted to develop recommendations for future upgrades to the IT system to include hardware, software, and system policies. It should also be requested that the audit team identify those skill sets needed to support, manage and grow the system. B. To help resolve future risks associated with upgrades to the IT system and associated company policies it is recommended that the company CIO, Loss Prevention Officer and CEO develop a Statement of Work based on the forensic team’s recommendations with associated milestones, acceptance criteria and funding data as determined by the CIO and finance director.
C. An external Program Manager be brought in to manage the IT upgrade with the CIO and CEO as champions. The M’s charter should also include the task of working with internal team leaders to develop their project planning skills with the idea of them then seeking external skill development and training under the company’s auspices. D. The company to should bring in an external policy development expert to work with department heads to develop policies that reflect the cultural and legal needs of the company.
E. Upon completion of the IT upgrade and policy development projects the company should bring in a different audit team to review the system and policies. This will eliminate any conflict of interest. Following these recommendations should greatly reduce the risk the associated with the CIFS noted above. It will do so by bringing in knowledgeable, external experts with al with the majority of the issues while starting the training and upgrading of internal personnel’s skills.
It should also go a go distance in reassuring the company’s customers that it has their “welfare” as its driving goal and thereby reduce the possibility of lawsuits. However, this will only happen if the company informs its customers of it plans and actions. 4. Identify the initial categories of risk (ORBS Level 1 and 2) that you see as being present in the case study using the Example Risk Checklist (Figure A-2, Hills & Simon text). Organizations use risk breakdown structures (Orbs) in conjunction tit work breakdown structures (Webs) to help management teams identify and eventually analyze risks.